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Description 

ThiL invention relates generally to point of sale and electronic funds transfer systems and in particular 
5 to the personal verification of users of such systems. 

Eiectronic funds transfer {EFT) is the name given to a system of directly debiting and crediting 
customer and service suppliers' accounts at the instant of confirmation of a transaction. The accounts are 
held at a bank, or credit card. company's central processing system, which Is connected to. a dedicated 
network of retailers or service suppliers' data processing equipment In this way no cash or check 
fo processing is required for the transaction. ... ^ ^ i 

Point of sate (POS) is the name given to retailers' data processing systems in which check-out or sale 
point tills are connected directly to a data processing system. Details of current transactions can then be 
used for stock control, updating customer accounts held locally and monitoring the retailers flow of 
business. A POS terminal can include the function required for an EFT terminal and be connected to an EFT 
IS network as well as the local retailers data processing system. . ^ ^ x.u 

In a simple application each bank or credit card company has its own network and each customer of the 
bank has a credit card which can only be used on that network, such a network is described In European 
Patent Publication 32193. 

20 Background of the invention . ^. ^ ^ ^ 

European Patent Publication 32193 (IBM Corporation) describes a system m which each user and 
retailer has a cryptographic key number-retailer's key Kr and user's key Kp-whlch is stored together with 
the user's account number and retailer's business number in a data store at the host central processing unit 
(CPU). The retailer's key and the user key are used In the encryption of data sent brtween the retailer's 
25 transaction terminal and the host cpu. Obviously only usere or customere with their Identity nurnbers and 
encryption keys stored at the host cpu can make use of the system. As the number of usere expands there is 
an optimum number beyond which the time taken to look up corresponding keys and identity numbers is 
unacceptable for on-line transaction processing. ... , .j *r««„*.^.. 

The system described is only a single domain and does not involve using a personal identification 
30 number (PIN). Verification of the user's identity Is at the host and without a PIN there is no bar to users 
using stolen cards for transactions. , , . ^ 

European Patent Publication 18129 (Motorola Inc.) describes a method of providing security of data on 
a communication path. Privacy and security of a dial-up data communications rietwork are provided by 
means of either a user or terminal Identification code together with a primary cipher key. A list of valid 
35 identification codes and primary cipher key pairs Is maintained at the central processmg unit. Identification 
iooae and cipher key pairs sent to the cpu are compared with the stored code pairs. A correct companson is 
required before the cpu will accept encoded data sent from the terminal. All data sent over the network is 
ciphered to prevent unauthorised access using the relevant user or terminal key. 

The system described |s a single domain In which ail terminal keys (or user keys) must be known at a 
40 central host location. Hence, the ideas described in the patent do not address a multi-host environment and 
thus are not addressing the interchange problem either. ^ ^ _. u 

UK Patent Application 2,052,B13A (Atalla Technovatlons) describes a method and apparatus which 
avoids the need for transmitting user-Identification Information such as a pereonal identification number 
(PIN) in the clear from station to station In a network such as described in the two European Patent 
45 Publications mentioned above. The PIN is encoded using a randomly generated number at a user station 
and the encoded PIN and the random number are sent to the processing station. At tiie processing station a 
second PIN having generic application is encoded using the recehred random number and the receive 
encoded PIN and the generic encoded PIN are compared to determine whettierthe received PIN Is valid. 
This system does not use a personal key and as a consequence for a sufficlentiy cryptographicaliy 
so secure system, it is necessary to have a PIN with at least fourteen random characters (four bits each). This is 
a disadvantage from the human factor point of view as users will have difficulty remembering such a long 
string of characters and the chances of Inputting unintentionally an incorrect string is very large. If a phrase, 
which a user can easily remember, is employed for a PIN, about 28 charactere are required. Although 
remembering the information is not a problem, inputting such a long string of data still presents a human 

55 factore^p^oblem.^^ ^^^^ possible by the systems described in the above patent applications is limited to 
a single host cpu holding the accounts of all usere, both retailers and customers. 

An EFT system in which many card issuing organisations (banks, credit card companies, etc.) are 
connected and many hundreds of retail organisations are connected tiirough switching nodes such as 
so telephone exchanges, brings many more security problems. ^. ^ 

PCX publication Wo 81/02655 (Marvin Sendrow) describes a multi-host, multi-user system in which the 
PIN is ciphered more than once at the entry terminal. The data required to validate and authorise the 
transactions is transmitted to a host computer which accesses from its stored data base the data that is 
required to decipher and validate the transaction, including the ciphered PIN. A secret temiinal master key 
65 must be maintained at each terminal. A list of these master keys is also maintained at the host computer. 
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The maintainfng of lists of terminal master keys at eaph of the card Issuing organisation's host 
computers is obviously a difficult task, in a complex system where the terminal keys are not controlled and, 
therefore, not known by the card issuing host 

European Patent Publication 55580 (Honeywell Information Systems) seeks to avoid the necessity of 

* transmitting PIN Information in the network by performing PIN verification at the entry point terminal. This 
is achieved by issuing each user with a card that has encoded in the magnetic stripe the bank Identification 
(BIN), the user's account number (ACCN) and a PIN offset number. The PIN offset Is calculated from the PIN, 
BIN and ACCN. The user enters the PIN at a keyboard attached to the terminal, which also reads the PIN 
of^et BIN and ACCN from the card. The terminal then re-calcUlates a PIN offset from the user's entered • 
PIN, the BIN, and ACCN. If the re-calculated PIN offset is the same as the PIN offset read from the card then 
verification of the PIN is assumed. This approach has the disadvantage in that the system is not involved in 
the validation and that knowing that the PIN offset is calculated from the PIN, the BIN and ACCN, anyone 
having knowledge of the process can manufacture fraudulent cards with valid PINS. 

UK Patent Application 2050021 A (Atalla Technovations) describes a secured data Transmission system 
that relies upon ^e favourable comparison of coded signals derived from information about authorised 
users and data terminals. The authorisation is pre-started and subsequently supplied under manual 
commands to generate an operating key which is then used to encode and decode data that Is entered after 
an Initiaiisation procedure. 

Advances in microcircult chip technology has now led to the possibility that user cards instead of 

20 having user data stored on a magnetic stripe can contain a microprocessor with a read only store (ROS). 
The microprocessor Is activated when the card is placed in an EFT terminal and the appropriate power and 
data transmission interface connections are made. The microprocessor on the card Is controlled by control 
programs stored in the ROS. The users and issuers identification can also be stored in the ROS together 
with other information. 

25 Examples of such cards including a microprocessor are shown In United Kingdom Patent Applications 
2.081 ,644A and 2,095,175A. 

European Patent Application No. 82306989.3 (IBM) describes a method and apparatus for testing the 
validity of personal identification numbers (PIN) entered at a transaction terminal of an electronic funds 
transfer network in which the PIN Is not directly transmitted through the network. The PIN and the personal 

30 account number (PAN) are used to derive an authorisation parameter (DAP). A unique message is sent with 
the PAN to the host processor where the PAN Is used to Identify a valid authorisation parameter (VAP). The 
VAP is used to encode the message and the result (a message authentication code MAC) transmitted back 
to the transaction terminal. The terminal generates a parallel derived message authentication code (OMAC) 
by using the DAP to encode the message. The DMAC and MAC are compared and the result of the 

35 comparison used to determine the validity of the PIN. 

In sudi a system the generation of DAP as well as VAP Is based on a short PIN only and Is therf foret 
cryptographlcally weak. Furthermore, the EFT transaction temiinal. has access to all the informatibh earned 
on the identity card which may be regarded as a security weakness In the system. The present invention 
seeks to overcome such deficiencies by storing personal key data in a portable personal processor carried 

^ on a card and only processing the key data on the card. 

In any multi-domain communication network where such domain includes a data processor and in 
which cryptographlcally secure transmission takes place it is necessary to establish cross domain keys. A 
communication security system in which cross domain keys are generated and used is described in United 
States Patent No. 4,227,253 (IBM). The patent describes a communication security system for data 

45 transmissions between different domains of a multiple domain communication network where each 
domain includes a host system and its associated resources of programs and communication terminals. 
The host systems and communication terminals include data security devices each having a master key 
which permits a variety of cryptographic operations to be performed. 

When a host system in one domain wishes to communicate with a host system in another domain, a 
• so common session key Is established at both host systems to permit cryptographic operations to be 
performed. This is accomplished by using a mutually agreed upon cross-domain key known by both host 
systems and does not require each host system to reveal its master key to the other host system. The cross 
domain key is enciphered under a key encrypting key at the sending host system and under a different key 
encrypting key at the receiving host system. The sending host system creates an enciphered session key 

ss and together with the sending cross-domain key performs a transformation function to re^ncipher the 
session key under the cross domain key for transmission to the receiving host system. At the receiving host 
system, the receiving host system using the cross^maln key and the recehred session key, performs a 
transformation function to re-enclpher the received session key from endpherment under the cross 
domain key to encipherment under the receiving host system master key. With the common session key 

60 now available in usable form at both host systems, a communication session is established and 
cryptographic operations can proceed between the two host systems. 

Reference to the following publications are included as giving genera) background information is 
• encryption techniques and terminology: 

1. IBM Technical Disclosure Bulletin, Vol. 19, No. 11, April 1977, p. 4241, 'Terminal Master Key 

£5 Security" by S. M. Matyas and C H. Meyer. 
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2 IBMTechnical Data Bulletin, Vol. 24, No. IB, June 1981, pp. 561-565, "Application for Pereonal Key 
Crypto with Insecure Terminals" by R. E. Lennon, S. M. IWIatyas, C. H. IWIeyer and R. E. Shuck; 

3 IBM Technical Data Bulletin, Vol. 24, No, 7B, December 1981, pp. 3906--3d09, P.n Protection/ 
Verification for Electronic Funds Transfer' by R. E. Lennon, S. M. IVIatyas and C. H. ^^y^"; 

5 4. IBM Technical Disclosure Bulletin, Vol. 24, No. 12, IVlay 1982, pp. 6W)4-650VTe^onal Venfication 
and Message Authentication Using Personal Keys" by R. E. Lennon, S; M^as a^^^^^ 

5 IBM Technical Disclosure Bulletin, Vol. 25, No. 5. October 1982, pp. 2358-2360, Authentication with 
• Stored KP and Dynamic PAD" by- R. E. Liennon, S.- M- Matyas. and.C. H. Meyer. 

'"TeTrlnn"n"use3 a .ime v,rian. key which is based upon a card usen. P?^™' 
number (PAN), personal key (KP) and a transaction variable. When an issuer host receives a message 
TncM^J a mL'age authenlicSation code generated using the time variant key (Identified as KSTR m the 
preferred embodiment) then the issuer is assured that when the ^^^^^^^^^ ''J"'^^!' I "«^t Ji^SlS 
valid PAN and a valid KP was Involved and that the message does not onginate from a potentially 

AnoSersoureVof frau attack is guarded against by the encipherment of the transaction variable 
under the key KS and using this quantity in the calculating of message authentication code^ W a 
mesfiaae Is received bv the issuer including the session key enciphered under a cross-domain key then if 
'^V!^Z^e^lTZt^oni^ changed for any reason, the message -J'^-f »<;f °" ^^^^^ 

on the changed session key will not be the same as the received message authentcatl^^^^^^ 
MAC check therefore not only validates the part of the message in which the MAC was calculated, but also 

the correct reception of the enciphered session key. 

^^eTse of the transaction variable generated at the EFT terminal and the P««°2?'.''^L^'i^Loti?,^K 
on the card also ensures that the transaction variable cannot be produced separately by a potentially 
fraudulent user, terminal operator or even a potentially fraudulent 'Muer. ut^h ccTtormSnaio 

According to the invention there is provided an electronic funds transfer system in which EFT terminals 
are connected through a local data processing centre (acquirer) to a public switch system (switch), a 
plurality of card-issuing agencies' data processing centres are also connected to the public switch system 
30 and each user of the EFT system has a personal secure intelligent bank card on which is stored a personal 
account number <PAN) and a personal key (KP), the system including means at eahc local data processing 
centre to generate session keys (KS) for each of its locally attached terminals, and to transmit an associated 
session key to a respective terminal, at each terminal means to store the session key, means to encipher 
sensitive data (PAN) under the session key whenever a transaction request message is generated, means to 
35 generate a transaction variable for each transaction initiated at the terminal and to transfer the transaction 
variable to the card, hieans to transfer a nriessage request including the transaction vanable enciphered 
under KS to the users card and means on the card to generate a message authentication code using a 
time-variant key (KSTR1) based upon the users PAN. KP and the transaction variable, means at each local 
data processing centre to encipher the appropriate session key under a cross-domain key whenever a 
40 transaction request message is received and to add the enciphered key to the message, means at each 
processing node of the public switch system to translate the enciphered session key from encipherment 
under a receh/ed cross-domain key to a transmission cross-domain key, means at the card issuing agency's 
data processing centre to decipher the enciphered session key and to use the key to decipher any sensitive 
data contained in the request message, and means to regenerate the message authentication code using 
45 KSTR1 which is generated from parameters based upon the PAN and KP and the received transaction 
variable for comparison with the message authentication code included In the recehred message. 

In order that the invention may be fully understood a preferred embodiment thereof will now be 
described with reference to the accompanying drawings: 

so Brief description of the drawings 

Fig. 1 is a block schematic showing the component parts of an EFT network; 

Fig. 2 is a block schematic of the retail store components of the EFT networi<; 

Rgs. 3—9 illustrate enciphering techniques used in the preferred embodiment; 

Figs. 10—12 are flow charts illustrating the steps of the method of the preferred embodiment; 
ss Hgs. 13—17 illustrate the message formats used in the prefenred embodiments. 

Table of abbreviations ..... ^ 

In the designation of the preferred embodiment the following abbreviations are used: 

60 AP=authentication parameter (generated from PAN, KP and PIN) 

BlD=bank or card issuer's identity 

Ki= interchange key 

KP= personal key 

KMO=host master key 
65 KM1 -first variant of host master key 
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KM2=second variant of host master key 
KIVl3=thjrd variant of host master key 
KMT-termlnal master key 
KS»session key 

KST1=transaction session key one (generated from Tterm, card and KTRI) 
KSTR2=transaction session key two (randomly or pseudo-randomiy generated) 
KSTR3=transactlon session key three (generated from TIss, term, card and KTR2) 
KTRI =transactcon key one (generated from PAN and KP) 
KTfi2=trahsactjoft key two (generated from PAN, KP and PIN) • • 
MAC= message authentication code 
PANsprimary account number 
PINsuseKs personal identification number 
Tcards^time-variant information generated by bank card 
Tiss-time-variant information generated by Issuer 
TtermBtime^ariant information generated by terminal 

Tterm,card=time-varlant Information generated from Tterm and Tcard using a one-way function 
Ti5S,term,card=time-variant information generated from Tlss and Tterm^rd 
TAP1stlme-va riant authentication parameter (generated from Tterm^card and AP) 
TAP2=tlme-va riant authentication parameter (generated from Tiss^erm^card and TAP1 
TlD-terminal ID 

SEQterm-terminal sequence number 
SEQjss» issuer sequence number. 

Preferred embodiment of the invention 

2s Referring now to Rgure 1 an EFT network is shown in which card issuing agencies' data processing 
centres 10 are connected through a packet switched communication network 12 through network nodes 14 
to retail store controllers 16. Each store controller 16 Is connected directly to the store's EFT transaction 
terminals 18 which have an interface including power and input-output means for communicating with a 
portable microprocessor 20 contained on a personal identity card issued by one of the card issuing 

jQ agencies. 

The store controller 16 may also be directly connected with the retailers own data processing centre 22. 
The retail store components of the network are expanded in Rg. 2. The EFT transaction terminal may 
Include a point of sale checkout terminal 24 including an EFT module 26 and having a consumer module 28 
connected so that a user can key-in data on the module. The store computers can also include an enquiry 
35 station which Is an EFT module 30 and consumer module positioned so that users cart communicate 
directly with the card issuing agency asking for example for the current balance or credit limit on their 
accounts before making a purchase. 

The consumer modules 28 are a twelve button key pad with, for example, a liquid crystal display such 
as are now in common use for other applications, hand calculators, remote TV s^ectors, etc. 
40 The EFT modules and point of sale terminals each have their own microprocessor and encryption- 
decryption modules together with read only and random access storage devices. The network nodes have 
a larger capacity processor such as the IBM Series 1 processing unit, {\BM is a Registered Trade Mark). 

In the preferred embodiment of the invention a card issuing agency prepares Individual user cards for 
each user. The cards include a personal portable microprocessor, a read only store (ROS) a random access 
45 memory (RAM) and an encryption device. The ROS for each user includes a persona) encryption key (KP) a 
user Identity code or personal account number (PAN) and a card issuer's identity code (BID). The KP, and 
PAN, are also stored at the issuing agency's data processing centre together with a personal identification 
number (PIN). BID is a code that Identifies the issuing agency's data processing centre to the BFT network. 
Each unit in the network has an identity code which is used for routing messages through the network. 
so The EFT modules also include a microprocessor, RAM and ROS stores and an encryption device. 
Depending upon the further encryption techniques employed in the network, the store controllers and 
packet switched network nodes contain data processing and encryption devices. 

When the EFT network is set up in order for secure transmission of transaction messages to take place 
it is necessary to generate identity numbers and endpherment keys used at the various nodes of tiie 
^ network. These pregenerated quantities are: 

AP~generated at card issuing agency; defined as: Ep,„9Kp(PAN)©PAN. 
Kl — generated at switch; issuer, acquirer 
KP— generated at issuing agency; 
KMO— generated at issuer, acquirer, switch 
.KMT— generated at acquirer 

KTRI — generated at issuer; defined as: Dkp(PAN)©PAN. 
KTR2— generated at Issuer; defined as: Dp„«Kp(PAN+l)©(PAN-»-l). 
PAN — generated at issuer 
PIN— generated at issuer 
TID— generated at acquirer. 
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Where e denotes modulo 2 addition and + denotes modulo 2^ addition. 
At initiajisation of tlie system the KP, PIN and PAN quantities are used to generate AP, ICTRI and ICTR2, 
which are unique to each user card. The quantities AP, ICTRI and KTR2 are stored at the issuer's data 
processing centre enciphered under the second variant {KM2| of the issuer's master key and associated 
5 together and enclosed by the PAN for the user. The quantities PAN, PIN and KP for each user are also stored 
offline for backup purposes (e.g., in a safe or vault) and are erased from main memory once AP, KTR1 and 
ICTR2 have been generated. 
• For each card, a unique PAN and KP are- stored. In the. cards ROM. ■ . 
Each user must store separately or remember the unique PIN. 
10 A unique TID and KMT are stored in each terminal and at the associated acquirer. 

A unique KMO for each processing node is stored at that node, i.e., issuer, acquirer and switch. 
During the course of a transaction, some of these values and others based upon stored values are 
generated dynamically at locations In the network. 

The Rg. 1 configuration of the system shows a complete organisation in which a large retail outlet has 
w its own "In-store" data processing system. In this case, the retailer's data processing system Is regarded as 
the acquirer and the PSS node as the switch. ^ ^, ^, . ^ 

In a simpler organisation where a small retailer may have only one terminal connected directly to the 
PSS node, then the function of the acquirer and switch are combined and there is no cross-domain 
translation required between acquirer and switch. 
20 The following cryptographic operations are available at the host system of the Issuer, acquirer and 
switch. 



Encipher Data (ECPH): 

ECPH: [E^mK. X,, Xj XJ 

2S -EkXv EkIX2©EkX,) Ek(X„©EkX„-,) 

Decipher Data (DCPH): 

DCPH: IEkmoK, Y„ Ya, . . ., Y„] 

-^DkYi. Dk(Y2)©Y, DK(YJ®Yn-1 

30 

Set Master Key [SMK): 

SMK: IKMOI Write Cipher Key KMO in Master Key Storage 

. Encipher Under Master Key <EMKO): 
35 EMKO: IKl-»EKMaK 

Re-encipher From Master Key (RFMK): 
RFMK: IEkmiKN, EkmoKI^EknK 

40 Re-encipher To Master Key (RTMK): 
RTMK: [Ekm^KN, EknKI-^EkmoK 

Translate Session Key (TRSK): 

TRSK: tEKi«KN1, EkniKS, EkmiKN2HEkn2KS 

45 

European Patent Application 821108/49 describes a system for performing the TRSK function. 
The following cryptographic operations are available at the terminal: 

Load Key Direct (LKD): 
so LKD: [Kl Load Cipher Key K into Working Key Storage 



Write Master Key (WMK): 

WMK: [KMTI Write Cipher Key KMT In Master Key Storage 

55 Decipher Key (DECK): ^. ^ ^ . u vr * 

DECK: [EkmtKI Decipher EkmtK under the terminal master key KMT and load recovered cipher key K into 
the Working Key Storage 

Encipher (ENC): 

60 ENC: tX„ Xj X„l 

— »EkwXi, Ekw(X2©EkwXi), • . EKw(Xn®E|cw(Xfl..^)) 

Where KW is the current woricing key in the working key storage. 
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Decipher (DEC): 

DEC: [Yv Ya YJ 

-*Dkw(YJ, Dkw(Y2)®Y, DKw(Y,)©Yn-l 

5 Where KW is tfie current working key in the working key storage. 

Encipher Data (ECPH): 

. . ECPH; IEkmtK,.Xv . XJ . 

-»Ek(x,), Ek(X2©^k(x,)), Ek(X„©e;(X^,)) 

to 

Decipher Data (DCPH): 

DCPH: [EkmtK, Y„ Y2, . . YJ 

-*Dk(Y,), DkIY,|®Y| Dk(Y,)©Y„-,. 

IS At this point it is useful to realise that quantities held at the issuer are stored enciphered under the 
processor master key KMO or a master key variant KM2. The general decipher-encipher sequence is 
illustrated in Fig. 3. A sensitive quantity (Q) is held in store enciphered under KM2 (EkmsCI)- The enciphered 
value is deciphered using KM2 as the key and Q is used as the key to decipher a further variable KEY stored 
enciphered under key Q (EqKEY). The deciphered ICEY is then enciphered using the master key KMO as the 

20 key and the result is EkmoO<EY). This first operation is called a RTMK function. 

To use KEY to encipher a further quantity 02 then EkmqKEY is deciphered using KMO as the key and the 
deciphered KEY is used as the key in enciphering 02 giving Ekey02. This second operation is called an 
ECPH function. 

These operations all take place in the cryptographically secure hardware circuits (defined 
25 cryptographic facility or security module) and consequently while 0 and KEY appear in the clear, they are 
not available outside the secure hardware. 

Rg. 4 illustrates the RFMK sequence. A key Kl stored enciphered with KM1 as Ekmi(KI) is deciphered 
using KM1 as the key recovering Kl in the clear. A second key KEY stored under enclpherment of KMO as 
EkmoKEY is deciphered using KMO as the key. The result of this dedphenfnent (KEY) Is then enciphered 
30 using Kl as the key giving E^KEY. 

As part of the system initialisation process, the acquirer (or other node) generates a series of terminal 
master keys (KMTI) for all the terminals associated with the acquirer system. These keys are protected by 
being enciphered under the first variant (KM 1 acq) of the acquirer master key (KM0acq) by an Encipher 
Master Key function (EMK1) to produce the result set forth by the following notation: 

35 

EMK1: lKMTiJ^EKMt.o9KMTI. 
The enciphered terminal keys are stored at the acquirer in a cryptographic data set until required for 
use in a cryptographic operation. Each terminal stores its own KMTi generated by the acquirer in a secure 
store. 

^ When a session Is to be established between the acquirer and a requesting terminal, it is necessary to 
establish a common session key (KS) between the acquirer and the terminal for secure data 
communication. Thus, the acquirer causes a pseudo random or random number to be generated which is 
defined as being the session key enciphered under a secondary file key KNFacq, I.e., EioipkoqKS and is 
retained at the acquirer for cryptographic operations during the communication session. In order to 
securely distribute the session key to the requesting teiminal, the acquirer performs a transformation 
function which re-enciphers the session key from enclpherment under the acquirer secondaiy file key to 
encipherment under the terminal master key, l.e., from EicNFMqKS to EkmtiKS. This transformation function 
may be defined by the notation: 

» TRSK: lEKMH3.«,KNFacq, B^^^KS, Ekm„i«:,KMTI1-EkmhKS 

Since KS is now enciphered under KMTi, it may be transmitted over the communication line to bind the 
requesting terminal to tiie acquirer for a communication session. 

When the EFT network is set up and the initialisation Is complete, i.e., the pregeherated values are 
^ stored at the respective locations, EFT transactions may occur. Each terminal has a sequence number 
counter which provides SEQterm for each transaction message initiated at that terminal. Each host also has 
a sequence number counter which provides SEQiss for each transaction message (Mresp) generated at the 
host data processing centre. These SEQ numbers are provided for audit purposes and do not relate directly 
to the invention. 

^ The preferred method of testing the validity of messages in the network is as follows: 

A transaction is initiated at a PCS terminal when a customer's user card is inserted in the EFT module. 
Insertion of the card couples the power and data bus connections to the personal portable microprocessor 
(p.p.m.). 

65 
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At the ppm {20 Rg. 1): 

Step CI Generate Tcard and transfer this variable to the EFT terminal together with card issuer 
identification (BID), personal account number (PAN). Other information such as credit limit 
may be passed at this time. 

Tcard is a time variant quantity and the method employs a system of time variant quantities In contrast 
to a universal time reference such as a time-of-day clock. This approach avoids synchronisation problems 
among the several generators of the desFred time-variant information. Bach node (ppm (20), EFT terminal 
(18) and card issuer host (10)) generates its own time variant quantity, Tcard, Tterm and Tiss, respectively. 
10 (If desired, time-of-day clock values may be included for auditing purposes). 

At the different nodes time variant quantities are obtained by combining various ones of the three 
individual quantities using an encipher function. 



At the EFT terminal (18 Fig. 1): 

Step T1 Generate Tterm and the combined Tterm.card based upon Tcard and Tterm. The generation 
of Tterm,card is illustrated In.Fig. 5. The variable Tcard is ciphered using the variable Tterm 
as an encryption key. To accomplish this Tterm is loaded as the working key using a Load Key 
Direct (LKD) operation and then Tcard is enciphered under Tterm using an Encipher (ENC) 
operation, as follows: 

LKD: [Tterml load Tterm as the working key. 



ENC: (TcardJ-^E-rt.nnTcard. 

2s The result, i.e.. ET,.rm(Tcard) is referred to as Tterm,card and stored In the tenfninals RAM. 

Step T2 Receive and store other transaction data (Card issuing agency BID, PAN, etc). 
Step T3 Formulate a message request (Mreq) having a format shown in Fig. 13 which at this time 
includes the combined time variant data Tterm,card generated at the terminal, the stored 
card information, TID and other transaction data. 

The Mreq is formed in a buffer store portion of the terminals, RAM and includes message address 
information BID. 

Step T4 Transfer the transaction request |TR) portion of Mreq and Tterm to the personal portable- 
35 microprocessor. 



Step C2 Using the received Tterm generate Tterm.card of reference using the technique shown in Fig. 
5. 

40 Step C3 Generate and store a transaction session key (KSTR1) using KP and Tterm,card. KSTR1 is 
used as the end to end key between the card and the issuer and is generated from PAN and 
KP read from the card and the card generated (Step T2) Tterm,card. 

The generation of KSTR1 is illustrated in Fig. 6. Using the user's personal key (KP) as the key the PAN is 
45 dedphered and then exclusively OR'd with the result to produce a time Invariant transaction key KTRI. 
Tterm,card is then deciphered using KTRI as the key to produce the first transaction session key KSTR1. 

Step C4 Store in the ppm RAM both KSTRl and Tterm,card. 

Step C5 Compute a message authentication code (MAC1 card, iss,) on the TR portion of Mreq which 
59 will include Tterm,card and using KSTRl. 

The generation of a message authentication code (MAC), which uses the Endpher Data (ECPH) 
operation, is illustrated in Rg. 7. The method used is the standard cipher block chaining (CBC) mode of 

DES. The inputs defined as XI, X2 Xn are 64 bit blocks of the request message. The initialising vector 

ss ICV Is set equal to zero In this process. _ 

The result of the first XOR is then endphered under the key K. In Step C5 the key K-KSTR1 Is used. The 
second block X2 is then XOR'd with the result of the first endpherment and the output of this XOR is 
enciphered using key K. This process is continued until Xn is reached and the output or part thereof is 
defined as the MAC. 

Step C6 Transfer the TR portion of Mreq and MAC1card,iss to the EFT temninal. 
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At the EFT terminal: 

Step T5 When the Mreq is received at the terminal, the PAN field of Mreq is enciphered under the 
session key to meet any system privacy requirements. The enciphered PAN then replaces the 
clear PAN in the Mreq which may then be transmitted over the communication line to the 
5 acquirer for transmission to the issuer data processing centre via the pacicet switching 

system PSS {14 Fig. 1). The encipherment of PAN under the session key KS at the terminal 
may be performed by an Encipher Data (ECPH) operation defined by the following notation: 

• ECPH: l6KMnKS,PANj-»EK8PAN. 

10 

In executing this operation, a Decipher Key (DECK) operation Is first performed to decipher EkmtiKS 
under the control of KMTi to obtain KS in clear form as the working key after which an Encipher (ENC) 
operation is performed to encipher PAN under control of KS to derive the enciphered PAN, i.e., EkbCPAN). 

The Tterm,card field of Mreq is also enciphered in the same manner using the Encipher Data (ECPH) 
15 operation, as follows: 

ECPH: [EkmtiKS, Tterm,cardl-*EK8Tterm,card 

and the enciphered Tterm,card replaces the clear Tterm,card in the Mreq, 
^0 Step T6 Transmit the received Mreq, MAC1card,iss, to the issuing agency data processing centre via 
the acquirer system and through a packet switched system node (14 Fig. 1). 

At the Node (or Acquirer System): 
Identify TID from received Mreq. 
^ Step N1 Using a Translate Session Key (TRSK) operation, together with enciphered key parameters 
E|£M3«eqKNFacq and EKMi«cqKlacq,sw obtained from the acquirer's cryptographic key data set 
(CKDS) and the stored enciphered session key Ek^p^^KS for the terminal designated by TID, 
re-encipher KS from encipherment under the secondary file key KNFacq to encipherment 
under Interchange key Kiacq,sw (shared with the switch) to produce EKi.eq3w(KS)» as follows: 

30 

TRSK: {EKM3«,KNFacq, En,p««,K8, EKMi«qKlacqwI-»EKtae,^wKS 

European Patent Application 821108/49 describes a system for performing the TRSK function. 
Place EKiteaswKS in the transaction message request as shown in Fig. 13. 

3$ 

Step N2 Transmit Mreq to the PSS switch. 
At the switch: 

Step SI Extract enciphered session key Ew,cq.«»KS from Mreq. Using a Translate Session Key (TRSK) 
40 operation together with encphered key parameters EKM3swKlacq,sw and EKMiawKlsw,l8S 

obtained from the switch's cryptographic key data set (CKDS) and the received enciphered 
session key EKi.eq.swKS, re-encipher KS from encipherment under Klacq,sw to encipherment 
under Klsw,iss, as follows: 

4S TRSK: (EKM3.wKlacq,sw, EKj.cq.«*KS, EKMi»wKlsw,issl-*EK,„.,„KS 

This re-enciphered session key, i.e., Ekisw4b»KS. replaces the previously enciphered session key in Mreq 
which is then transmitted to the card issuing agency data processing centre. 

so Step S2 Transmit Mreq from the switch to the issuer. 

At the Issuer DP Centre: 

Step 11 Receive and store Mreq and index it using TID. Extract enciphered session key Emsw^KS from 
Mreq. Using a Re-encipher to Master Key (RTMK) operation together with enciphered key 
55 parameter EKM3iM{Kl8W,is8> obtained from the issuer's cryptographic key data set (CKDS) and 

the received enciphered session key EKim.inKS, re<<ncipher KS from endpherment under 
Klsw,iss to encipherment under the issuer's host master key (KMOiss), es follows: 

RTMK: tEKM2iwKlsw,is8, Eki«,.imKSHEkmoi..KS. 

60 

Store EkwoissKS and index using TID. Extract EK8Tterm,card from Mreq, and decipher the 
enciphered Tterm,card by a Decipher Data (DCPH) operation using the recovered enciphered 
session key EkmoimKS to obtain Tterm,card in the dear as follows: 

6S 
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DCPH: [EicMoinKS, EKBTterm,cardl-»Tterm^rd. 

Replace the enciphered Tterm,card in Mreq with the clear Tterm,card. 

Extract EksPAN from Mreq and store in temporary buffer. Using a Decipher Data (DCPH) 
operation together with the recovered endphered session key EkmwmKS' decipher using KS 
to obtain PAN, as follows: 

• DCPH: 1€kmoi«KS, EksPAN)-+PAN. ■ . 

Step 12 The validity of PAN is checked by a table look-up process using the received deciphered PAN 
as an index to the table. If the PAN is valid then replace EksCPAN) with PAN In Mreq and 
continue at Step 13; otherwise continue at Step 117. 

Step 13 Generate and store a pseudo-random or random time-variant quantity Tiss. 

Step »4 Using an Encipher Master Key (EMKO) operation, encipher Tiss generated at Step 13 under the 
issuer's host master key (KMOissK as foilows: 

EMKO: (Tissl-^EKMOiss'nss. 

Generate and store the time-variant Tiss.term,card by using an Encipher Data (ECPH) 
operation together with the enciphered value of Tiss {i.e., Ewy,oi„Tiss) used as a key to 
encipher Tterm,card received in Mreq to produce E-n,.Tterm,card, as foilows: 

ECPH: (EKMois.Tiss,Tterm,card)-*ET,„Tterm,card 

where the desired Tlss.term,card is defined as quantity EyiMiTterm.card). 
Step 15 Generate KSTR2 using the RTMK operation of Fig. 3 together with the enciphered key 
parameter EKM2»«KNFiss obtained from the issuer's CKDS and Tiss.term,card obtained at 
Step 14 to produce Ekmoi»sKSTR2, as follows: 

RTMK: IEkm2i»(>^NRs8), Tiss.term,cardI-»EKMoi..(DKHn«Tis8,term,card) 

where KSTR2 is defined as DKNFi..Tiss,temiXMrd. 
Step 16 Generate KSTRI using the RTMK operation of Rg. 3 together with the enciphered key 
parameter Ekm2i..KTR1 foi" the particular cardholder with personal account number {PAN) 
obtained from the issuer's CKOS and Tterm,C8rd received in Mreq to produce EkmohsKSTRI, 
as follows: 

RTMK: lEKM2i»,KTR1Jterrn,card)-»EKMoi«<DKTmTtenn,card) 

where KSTRI is defined as DKRnTtemi,card. 
Step 17 Compute MAC1 card,iss of reference on the TR portion of the received Mreq by an Encipher 
Data (ECPH) operation (described by Rg. 7) using enciphered key parameter EkmoimKSTRI 
(obtained at Step 16) as follows: 

ECPH: IEKMoi«KSTR1,TRl-MAC1card,is8 

where the last or part of the last block of the resulting dphertext is defined as MAC1card.iss 
of reference. 

Step 18 If the MAC1 card,iss of reference equals the received MAC1card,iss then accept the Mreq and 
continue at Step 19, otherwise reject Mreq and continue at Step 117. 

Note that validating the MAC also simultaneously validates the received session key KS. If KS is 
changed, the deciphered value of Ttenn,card would be In error and the MAC check in turn would fail. 

A timeliness check at the issuer is, however, not possible since the issuer at this point has not received 
time-variant information it can check. (Note thatTterm,card as well as KS were generated outside the Issuer 
and thus the timeliness of these values cannot be checked by the issuer). This does not present a security 
weakness because the information the issuer sends out at this point is of no value to an opponent (Such 
information is obtainable by an opponent via stale messages sent to the Issuer). 

Step 19 If there is no reason to reject Mreq (e.g. funds are available, etc.), then continue at step 110 

othenvise reject Mreq and continue at Step 117. 
Step 110 Generate a first time variant authentication parameter (TAPI) using an RTMK operation 

together with the enciphered authentication parameter EknuiwAP (for the particular 

cardholder with personal account number PAN) obtained from the issuer's CKDS and 

Tterm,card received in Mreq, as follows: 
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RTMK: [EKM2i.»AP,Tterm^rdl— Ekmo,„(Dap Tterm,card)=EKiaoteaTAP1 

where TAP1 is defined as DApfTterm^rd). 

Also generate a second time variant authentication parameter (TAP2) using a OCPH 
operation together with the enciphered TAP1 {i.e., EKMomTAPI) used as a key parameter and 
T!ss«temri,card obtained at Step 14 to obtain: 

pCPH: lEKMpi».TAP1,Tiss,term.cardl-»pTAPiTlss,term,card 

where TAP2 Is defined as DTAPiTisSfterTn^card. 

TAP1 is defined as DApTterm^card and is obtained using the RTMK function of Rg, 6 where Q is AP (a 
quantity (EKPdpiNPAN)0PAN pregenerated during the initialisation process) and KEY Is Ttenn,card. The 
result of the FTMK operation Is Emwo'T'API as follow: 

RTMK: |EKM2iMAP.Tterm,cardl-EKMoTAP1. 

TAP2 Is defined as DrAPiTiss^term^rd and Is obtained In a DCPH function by deciphering EkmqTAPI 
under the nnaster key KMO and then deciphering Tiss,term,eard using TAP1 as the key as follows: 

DCPH: [EKMoTAP1«Tlss,term,card]-»TAP2 
In summary 

AP=(EKpePiNPAN}©PAN . . 

TAPl =sDApTterm,card 

TAP2»DTA(>iTlss,term»C8rd. 

Thus, the correct generation TAPl and TAP2 are directly dependent upon KP, PIN and PAN. 
Step 111 Formulate Mresp as shown in Fig. 14. 

Step 112 Compute MACliss,card on the card transaction response (CTR) portion of Mresp by an 
Encipher Data (ECPH) operation {described by Rg. 7) using enciphered key parameter 
EkmoKSTRI (obtained at Step 16) as follows: 

ECPH: IEKMoi«KSTR1,CTRl-^MAC1iss,card 

where the last or part of the last block of resulting ciphertext Is defined as MAC1iss,card: 
Transfer MAC1iss,card to Mresp. 
Step 113 Compute MACIIss^term on the terminal transaction response (TTR| portion of Mresp by an 
Encipher Data (ECPH) operation (described by Rg. 7) using enciphered key parameter 
Ekmo»«KSTR2 (obtained at Step 15) as follows: 

ECPH: IEkmo...KSTR2,TTRI— MAC1iss,term 

where the last or part of the last block of resulting ciphertext Is defined as MAC1lss,term. 
Transfer MAC1iss,term to Mresp. 
Step 114 Re-encipher the transmission session key KSTR2 from enciphenment under the issuer's host 
master key (KM0lss)» l.e., EKMomKSTR2, to encipherment under the Interchange key Kliss^, 
i.e., Ekii.s^KSTR2 by a Re-enclpher From Master Key (RFMK) operation using the enciphered 
key parameter EKMiissKliss,sw obtained from the issuer's CKDS and the stored enciphered 
transaction key, i.e., EKMotuKSTR2 as follows: 

RFMK: [Ekmii.,KIIss,sw, EKMete«KSTR2J-^EKiiM^STR2. 

Transfer Eiciiw.bwKSTR2 to Mresp. 
Step 115 Transfer EksPAN from buffer (Step 11) to Mresp. Where KP is less tiian a predetermined 
number of bits then TAP2 is also enciphered under KS using an ECPH function as follows: 

ECPH: IEkmoi„KS, TAPi21^E„TAP2. 

Transfer TAP2 or the enciphered TAP2 to Mresp depending on the size of KP. 
Step 116 Send Mresp to the PSS network. Continue at Step S3. 

Step 117 Negative response routine. Formulate Mresp as shown in Rg. 15. The data field will include 
information on why the transaction is not to be honoured, i.e., lack of funds. MAC check 
failure, etc. The message will also include TIss. 
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Step 118 Compute MAC1 iss,term on the TTR portion of the negative Mresp by an Encipher Data (ECPH) 
operation (described by Rg. 7) using enciphered key parameter EkmoissKSTR2 (obtained at 
Step 15) as follows: 

ECPH: lEKMoi««KSTR2,TTRDl->MACliss,term 

where the last or part of the last block of resulting ciphertext is defined as MACIiss.term. 
. Transfer. MAC1iss,temu to Mresp. . 
Step 119 Send Mresp to the PSS network. Continue at S3. 

At the PSS Switch: 

Step S3 Extract enciphered session key Ek,«,.i«KSTR2 from Mresp. Using a Translate Session Key 
(TRSK) operation together with enciphered key parameters EkmsmKIIss^sw and 
EKMi.wKlsw.acq obtained from the switch's CKDS and the received enciphered session key 
EKnM.,wKSTR2, reenclpher KSTR2 from encipherment under Kliss^swto encipherment under 

Kiswiacq, as follows: 

TRSK: IEKM3«wKnss,sw, Ek„,..,wKSTR2, EK»,i.wKlsw,acql 

-♦EKI»w^eqKSTR2 

Step S4 Replace Ekij„..wKSTR2 with EK„w.«qKSTR2 in Mresp. 
Step S5 Send positive or negative Mresp to the acquirer as appropriate. 

At the Acquirer: 

Step N3 Extract enciphered transaction session key Ek„w^«,KSTR2 from Mresp. Using a Translate 
Session Key (TRSK) operation together witfi enciphered key parameters EKM3.cqKlsw,acq 
and EKMi.oqKMT obtained from the acquirer's CKDS, re-enclpher KSTR2 from encipherment 
under KIsw.acq to encipherment under KMT (for the terminal with terminal Identifier TID), to 
produce EkmtKSTR2 as follows: 

^ TRSK: (EK„3.«,Kl8W,acq, Ek,.w.«,KSTR2, EK„,««KMTHEKMrKSTR2 

Step N4 Replace Ek,.w.^KSTR2 with E^irrKSTRa in Mresp. 

Step N5 Send positive or negative Mresp to the terminal as appropriate. 

35 -At the EFT terminaK r ^ . • ^ . , 

Step T7 Check to deteniriine whether the message has been received within a predetermined time 
period by using a time-out procedure. If the time is not exceeded then proceed to Step T8. 
else continue at Step T22. 
Step T8 Decipher the enciphered PAN, i.e., E^sPAN, by a Decipher Data (DCPH) operation the 
40 previously stored enciphered session key EkmtKS and E^sPAN received in Mresp as follows: 

DCPH: [EkmtKS, EksPAN1-*PAN 

Store EksPAN in a temporary buffer and replace EksPAN with the deciphered PAN in Mresp. 
45 If TAP2 is in enciphered form, i.e., EksTAP2. then decipher Ek8TAP2 by a Decipher Data 

(DCPH) operation using the previously stored EkmtKS and Eks{TAP2) received in Mresp as 
follows: 
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DCPH: [EkmtKS, Ek8TAP21-»TAP2 

SO 

Step T9 Store EkmtKSTR2 in an appropriate buffer. 

Step T10 If Mresp Is non-negative then go to step Til; otherwise. If negative go to Step TU. 
Step Til Compute MAC1Iss,term of reference on the TTR portion of the received Mresp by an 
Encipher Data (ECPH) operation (described by Fig. 7) using receWed enciphered key 
S5 parameter EkmtKSTR2 (obtained from Mresp at Step T9) as follows: 

ECPH: [EKMTKSTR2,TTR|-+MAC1iss,term 

where the last or part of the last block of resulting ciphertext is defined as MAC1iss,term of 
60 ' reference. If MAC1 iss.term of reference equals received MAC1 iss,term, then accept received 

message and go to Step T12.- othenr/ise, go to Step T14. 
Step T12 If received Tterm.card equals stored Tterni,card (Step T1), then , continue at Step T13; 

otherwise go to Step T14, 
Step T13 Send the CTR and MAC1iss,card portions of Mresp to the personal portable microprocessor 
65 (ppm). Go to Step C7. 
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Step T14 For a negative response message, computer MAC1 lss,ternt of reference on the TTRD portion 
of the received negative Mresp by an Encipher Data (ECPH) operation (described by Rg. 7} 
using received enciphered Icey parameter EkmtKSTR2 (obtained from Mresp in Step T9) as 
follows: 

5 

ECPH: (EkmtKSTRZ TTRDI-*MAClis8,term 

where the last or part of the last block of resulting ciphertext is defined as MAC1,iss,term of 

reference, if MAC1Iss,ternfT of reference equald received MAC1iss,term then continue at Step * 
™ T15, else go to Step 16. 

Step TIS If received Tterm,card equals stored Tterm,card (Step T1) then abort tiia transaction and 

continue at Step 122. (Since a definite negative replay has been received from the Issuer* no 

retry is allowed). Otherwise, go to Step 16. 
Step T16 The timeliness check and/or MAC check failed. 

Since there Is a doubt on the negatWe or non-negative response the system rules may 

allow one or more retry. That is a return to Step CI. After a limited number of unsuccessful 

retries, abort transaction and continue at Step T22. 

At the ppm: 

Step 07 Receive the CTR and MAC1lss,card portions of Mresp and store Tiss. 

Step C8 Computer MAC1 Iss.card of reference on the CTR portion of the received Mresp using stored 

key parameter KSTR1 (Step C4) as the enciphering key. Generation of a message 

authentication code is Illustrated in Rg. 7. 
Step C9 If MAC1i8S,card of reference equals received M AC1 iss,card then accept Mresp and continue 
2' at Step CIO; otherwise continue at Step C17. 

Step C10 If received Tterm,card equals stored Tterm,card (Step C4) then accept Mresp and continue at 

Step HI; otherwise, continue at Step CI 7. 

At this point the EFT terminal will display a message indicating to the user that the cardholder Is now 
^ required to enter the PIN on the terminal consumer module (28 Rg. 2) if there Is agreement on transaction 
details, amount, eta 

At User Cardholder: 

Step HI Enter PIN into card via terminal after agreeing to the transaction details (e.g., amount etc.). 
3S Then continue at Step C11. 

At the ppm: 

Step C11 Compute TAP1 using PAN, KP, PIN and stored Tterm,card. 

^ The card user's identification PAN is enciphered using an XOR function of KP and the entered PIN as a 
key. The result of the first encipher operation is XOR'd with PAN defining AP. The stored Tterm,card is then 
deciphered using AP as the key to produce TAP1. 

Step C12 Generate KSTR3 using PAN, KP, PIN and stored PIN and Tl88,term,card. 

45 

The generation of KSTR3 Is illustrated in Rg. 8. The card users identification PAN is deciphered using 
an XOR function on PIN and KP as the key. The result of the first decipher operation is XOR'd with PAN 
defining KTR2. Tis8,card,term Is then deciphered using KTR2 as the key to produce the transaction session 
key KSTR3. 

so 

Step C13 Store KSTR3 and destroy PIN value. 
Step C14 Send TAP1 to terminal. 

At the EFT Terminal: 

SB Step T17 Compute Tf88,term,card from stored Tterm,card and issuer received TIss. Compute TAP2 
from Card-receh/ed TAP1 and Tis8,term,card. 

The computation of Tiss,term,card Is illustrated in Rg. 9. TIss received in Mresp is first loaded as a 
working key using a Load Key Direct (LKD) operation. The stored value of Tterm,card Is enciphered under 
60 Tiss using an Encipher (ENC) operation to produce ETiBsTterm,card, as follows: 

UCD: (Tissl 

ENC: ITterm,card]-*>ETiuTterm,card. 
65 The computation of TAP2 Is accomplished as follows. The card-received TAP1 Is first loaded as a 
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working key using a Load Key Direct (LKD) operation. The generated value of riss,temi.card is deciphered 
under TAP1 using a Decipher (DEC) operation to produce DTAPiTis8.tenn,c8rd, as follows: 

LXD: [TAPIl 

DEC: rn8S,term,cardl-»DTAPi'nss,term,card 
where TAP2 is defined equal to DTAM'n8s,term,card. 

Step T18 If TAP? equals received TAP2 of reference, then accept PIN arid continue at Step tl9; 

otherwise if re-entry of the PI N is permitted, as the predetermined number of failed attempts 

is not exhausted THEN continue at Step HI; ELSE continue at Step T22. 
Step T19 Complete the card holder transaction (i.e., hand over goods, print receipt etc.). 
Step T20 If completion successful THEN continue at Step T21; ELSE continue at Step T22. 
Step T21 Formulate Message status Mstat (reflecting the outcome of the transaction) and send the 

CSD portion of Mstat to ppm. Continue at CI 5. The format of the Mstat is shown In Rg. 16. 
Step T22 A negative condition has been detected by the terminal |e.g., response tirneout, 
MACliss,term check failed, a negative Mresp from issuer due to IVIAC1card,lss check failure 
at Issuer, printer failure, PIN Invalid, etc.). 
StepT23 Formulate a negative status message Mstat as shown in Rg. 17 and contmue at Step TZ4. 

(The code word portion of Mstat Indicates whether Mstat represents a positive or negative 

StepT24 ^reE«(pS^ from the Mresp. Compute MAC2term,iss on theTSD portion of Mstat (Fig. 16) 
or on the TFD portion of the negative Mstat (Fig. 17), as appropriate, by an Encipher Data 
(ECPH) operation (described by Rg. 7) using enciphered key parameter EkmtKSTR2 (obtamed 
from Mresp in Step T9) as follows: 

ECPH: (£KMTKSTR2.TSDl->MAC2term,iss 

or 

ECPH: lEK^rrKSTR2,TFDl->MAC2term,lss 

where the last or part of the last block of resulting clphertexl is defined as MAC2tenm,i8S. 

Replace clear PAN with EksPAN. Encipher the received TAP! (Step T17) by an Encipher 
Data (ECPH) operation using previously stored enciphered session key EkmrKS as follows: 

ECPH: [EkmtJCS, TAPIt-EKsTAPI 

Replace TAP1 with EksTAPI in Mstat. 
Step T25 Send Mstat to issuer via acquirer and switch (MAC2card,iss will be absent in all negative 
status conditions). Conclude processing at the terminal and continue at Step 120. 

If a Mstat is generated because a MAC check has failed on either a positive or negative Mresp, then a 
Netwvork Administration Centre processor Is informed so that system failures can be monitored and 
possible faults corrected. 

^tep CIS Receive CSD portion of Mstat from terminal. Compute MAC2card,is8 on the CSD portion of 
Msfat using stored key parameter KSTR3 (Step C13) as the enciphering key. Generation of a 
message authentication code is illustrated In Rg. 7. 

Step CI 6 Send positive response and MAC2card.lS8 to terminal and continue at Step T24. 

Step C17 Send negative response to terminal indicating that MAC check at Step C9 has failed, and 
continue at Step T23. (A MAC is not calculated here because the check for MAC1i8s,card 
which is end-to-end, failed. Most likely another end-to-end MAC will not be successful 
either). 

At the Issuer Host: 

Step 120 Receive Mstat. If a Positive Mstat Is received continue at Step 121 ; otherwise, if a negative 

Mstat is received continue at Step 131. 
Step 121 Process positive Mstat Extract ErsTAPI as appropriate and EksPAN from positive Mstat and 

decipher the enciphered TAP1 (as appropriate) and PAN, i.e., E^TAPI and EksPAN, by a 

Decipher Data (DCPH) operation using the previously stored enciphered session key 

EkmoiuKS (Step 11) as follows: 

DCPH: lEK„ote.KS, EKsTAPIl-TAPt 
DCPH: IEk«oi«KS, EksPANJ^PAN. 
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Replace enciphered TAP1 (as appropriate) and PAN with clear TAPl end PAN in Mstat. 
Step 122 Extract Tiss from Mstat and encipher Tiss under the issuer's host master key (KMOiss) fay an 
Encipher Master Key (EMK0) operation as follows: 

EMK0: [TIssl-^EKMoiMTiss. 

Extract Tterm^card from Mstat and generate the time-variant Tiss,term«card by an Encipher 
Data (ECPH) operation using enciphered Tiss, i.e., EmMOiss'Tiss, as the Icey, as follows: 

ECPH: [Ewy»i«Tiss,Tterm,cardJ-»'ETi.Jterm,card • 

where Ti88,t8rm,card is defined as ETtBsTterm^rd. 
Step 123 Regenerate KSTR2 by an RTMK operation using enciphered kay parameter EkmbissKNRss 
obtained from the issuer's CKDS and Ttss,term,card obtained at Step 122 to produce 
EKMoinKSTB2, as follows: 

RTMK: [EKM2issKNRss,Tiss,term,cardl-> 
EKMoi.«DKNn«Tiss,term,card 

where KSTR2 is defined as DKNn>sTiss,term,card. 
Step 124 Compute MAC2term,iss of reference on the TSD portion of the received Mstat by an Endpher 
Data (ECPH) operation (described by Fig. 7) using enciphered Icey parameter EiayioiuKSTR2 
(regenerated at Step 123) as follows: 

ECPH: [EKMoi..KSTR2,TSD]-»MAC2termjss 

where the last or part of the last block of resulting ciphertext is defined as MAC2term,iss of 
reference. If computed MAC2term,i8s of reference equals MAC2term,iss received in Mstat, 
then continue at Step 125; otherwise continue at Step 130. 

Step 125 If computed Tlss,term,card (Step 122) equals stored Tiss,term,card (Step 14), then continue at 
Step 126; otherwise, continue at Step 130. 

Step 126 Generate KSTR3 by an RTMK operation (Rg, 8) using enciphered key parameter EKM2inKTR2, 
obtained from the issuer's CKDS for the particular cardholder with personal account number 
(PAN), and Tiss,term.card generated at Step 123, to produce Ekmoiw(KSTR3), as follows: 

RTMK: [EKM2inKTR2, Tiss,term,card}-^E;^,.Diait2Tiss,term,card 

where KSTR3 is defined as DKrR2Tiss,term,card. 
Step 127 Compute MAC2card,iss of reference on the CSD portion of the received Mstat by an Encipher 
Data (ECPH) operation (described by Fig. 7) using enciphered key parameter EkmoimKSTR3 
(generated at Step 126) as follows: 

ECPH: [EKMoi8»KSTR3,CSD)-*MAC2card,iss 

where the last or part of the last block of resulting ciphertext is defined as MAC2card,iss of 
reference. If computed MAC2card,iss of reference equals MAC2card,iss received in Mstat 
then continue at Step 128; othenwise, continue at Step 130. !> 
Step 128 Accept the transaction and update records. 

Step 129 Formulate a positive acknowledgement message (Mack) and send Mack to the acquirer 

system or to the terminal's sponsor host Continue at Step 137. 
Step 130 Reject the transaction and initiate a negative acknowledgement message (Mnak) and send 

Mnak to the terminal and the Network Administration Centre. 
Step 131 Process negative Mstat generate KSTR2 by an iTTMK operation using enciphered key 

parameter EiouiassKNFiss obtained from the issuer's CKDS and stored T1ss,term,card 

obtained at Step 14 to produce EKMoi.aKSTR2, as follows: 

RTMK: [Eki«i..KNRss, Tiss,term/Mrdl-»'EKi«i«,DK,OT„Tlss,term,card 

where KSTR2 is defined as DKNFi.«Tis8,term,card. 
Step 132 Compute MAC2term,iss of reference on the TFD portion of the received Mstat by an Encipher 
Data (ECPH) operation (described by Rg. 7) using enciphered key parameter EkmoimKS^^ 
(regenerated at Step 131) as follows: 

ECPH: (EKWH..KSTR2, TH>HMAC2term,iss 
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where the last or part of the last block of resulting ciphertext is defined as MAC2terrn,lss of 
reference. If computed MAC2term,iss of reference equals MAC2term.i8S received in the 
negative Mstat, then continue at Step 133; otherwise continue at Step 136. 

Step 133 Extract Tiss from the received negative Mstat. If the received Tiss equals stored Ties (Step 13), 
5 then continue at Step 134; otherwise, continue at Step 136. 

Step 134 Accept the negative Mstat and update records. _. , *u s 

Step 135 Formulate a. positive acknowledgement message (Mack) and send Mack to the acquirer 
■ system or to the terminal's sponsor host. Continue Step. 137. ' i ' a 

Step 136 Reject the negative Mstat and initiate a negative acknowledgement message (Mnak) and send 
fO Mnak to the terminal and the Network Administration Centre. 

Step 137 Halt procedure. 

Rgures 10, 11 and 12 illustrate the sequence of the steps of the method in a flow chart form. Starting 
with Step C1 at the personal portable microprocessor (Fig. 10) the steps continue to 137 |Rg. 1 2) which ends 

IS the tranMCtooTL ^^^.^^^ ^^^^^ ^^^^^ advantage in that when the POS terminal is in a 

supermarket environment the personal verification check which typically should take between 1—5 
seconds can be initiated before the goods are totalled and completed well before the total amount due has 
been calculated. Unless there is some valid reason for referring the user's card there should be no 

20 additional delay at the temninal for customers using the EFT system for payment of goods. 



Claims 

1 An electronic funds transfer system in which EIT terminals are connected through a local^ data 
25 processing centre (acquirer) to a public switch system (switch), a plurality of card-issuing agencies data 
processing centres are also connected to the public switch system and each user of the EFT system has a 
personal secure intelligent bank card on which is stored a personal account number (PAN) and a personal 
key (KP), the system including 

means at each local data processing centre to generate session keys (KS) for each of its locally attached 
30 terminals, and to transmit an associated session key to a respective temninal, 
at each terminal means to store the session key, 

means to encipher sensitive data (PAN) under the session key whenever a transaction request 

'"^^eans^o gen'eraS a transaction variable for each transaction Initiated at the terminal and to transfer 
38 the transaction variable to the card* ^ ^ i/e . *u 

means to transfer a message request including the transaction vanable enciphered under KS to the 
users card and means on the card to generate a message authentication code using a time-vanant key 
(KSTR1) based upon the users PAN, ICP and the transaction variable, 

means at each local data processing centre to encipher the appropriate sess on key under a 
40 cross^omaln key whenever a transaction request message is received and to add the enciphered key to the 

'"^^means at each processing node of the public switch system to translate the enciphered session key 
from encipherment under a received cross-domain key to a transmission cross-domain key, 

means at the card issuing agency's data processing centre to decipher the enciphered session key and 
45 to use the key to decipher any sensitive data contained In the request message, and 

means to regenerate the message authentication code using the time vanant key (KSTRl) whichls 
generated from parameters based upon the PAN and KP and the received transaction variable for 
comparison with the message authentication code Included in the received message. 
2. An electronic funds transfer system as claimed In Claim 1 further including 
means at the card and terminal for each transaction Initiated at the terminal to generate a first 
transaction variable (Tterm,card) and to include the first transaction variable in a transaction message 
request sent to the c.i.a. data processing centre (steps CI— T6 (Rg. 10)), 

the system also including at the c.l^. data processing centres, . ^ ^ 

means to construct a response message to each transaction request message received, each positive 
response message Including a first portion (CTR) on which a first message authentication code is generated 
using a key derived from the first transaction variable, the user's personal key end personal account 
number, and a second portion including the first portion on which a second message authentication code is 
generated using as an encipher key a random or pseudo-random number and means to encipher the 
random number key under a cross-domain key and to add the enciphered key to response message (steps 

" ""'means at the terminal to receive the response message and to decipher the random number key, to use 
* the deciphered key to recreate a message authentication code based upon the second portion of the 

received message and to compare the recreated message authentication code with the received second 

message authentication code (steps T7 — ^T13 (Rg. 11))» 
6s means at the card to use the first transaction variable, the personal key and the personal account 



so 



ss 



17 



EP 0140 013 B1 



number to derive an encipher key to generate a message authentication code on the first portion of the 
message and to compare the recreated message authentication code with the received first message 
authentication code (steps C7-~C14 (Fig. 11)). 

PatentansprQche 

1. Elelctronisches Gefduberweisungssystem (EFT), in welchem EFT-Benutzerstationen Ober ein lolcales 
Datenverarbeitungszentrum (Erwerber) an ein offentiiches Schaitsystem (Schalter) angeschlossen sind, 
eine Vielzahl an Oatenverarbeitungszentren yon Icartenausgebenden Verfcaufspunjcten eberifalls an das 

'6ffentfiche Schaltsysterii angeschlosten siiid und Jeder Beniitzer des Ef^*Systems'eine gesicherte 
persfinllche Intelligente Banklcarte besitzt, auf welcher eIne persdnllche Kontonummer (PAN) tind ein 
persdnllcher SchlQssel (KP) gespeichert sind, wobei das System aufweist: 

an jedem lokalen Datenverarbeitungszentrum Einrichtungen, urn SitzungsschlQssel (KS) fur jeden 
seiner lokal angeschlossen en Benutzerstationen zu generferen und urn einen zugehdrigen 
SitzungsschlOssel an eine zugehorige Benutzerstation zu Obertragen, 

an jeder Benutzerstation Einrichtungen um den SitzungsschlOssel zu speichern, 

Einrichtungen aufweist. um jedesmal, wenn eine Anforderungsmeidung fOr eine Transaktion generiert 
wird, vertrauiiche Daten (PAN) nach dem SitzungsschlOssel zu versch I Ossein, 

Einrichtungen, um eine Transaktionsvariabte fur jede Transaktion, die an der Benutzerstation 
begonnen wird, zu generieren und um diese Transaktionsvartable auf die Kart zu Obertragen, 

Einrichtungen, um eine Anforderungsmeidung, einschlieBlich der Transaktlonsvariablen, welche nach 
KS versch lusselt ist, auf die Benutzerkarte zu Obertragen, und Einrichtungen auf der Karte, um einen 
Berechtigungscode fur Meldungen zu generieren, unter Verwendung eines zeitlich-variablen Schlussets 
(KSTR1), welcher auf den PAN und KP des Benutzers und der Transaktionsvariable basiert, 

an jedem lokalen Datenverarbeitungszentrum Einrichtungen, um den geeigneten SitzungsschlOssel 
nach eihem Mehrdomanenschlussel zu verschiOsseln, jedesmal wenn eine Anforderungsmeidung fOr eine 
Transaktion empfangen wird und, um den verschlOsselten SchlQssel zu der Meldung zu fOgen, 

Einrichtungen an jedem Verarbeitungsknoten des dffentlichen Schaltsystems, um den verschlOsselten 
SitzungsschlOssel von der VerschlOsselung nach einem empfangenen MehrdomSnenschlQssel in einen 
Obertragungs-MehrdomSnenschlOssel zu Qbersetzen, 

Einrichtungen an dem Datenverarbeitungszentrum des kartenausgebenden Verkaufepunkts, um den 
verschlOsselten SitzungsschlOssel zu entschlOssein und um den SchlQssel zur Entschiusselung jeglicher 
vertrauiicher Daten, welche in der Anforderungsmeidung enthalten sind, zu verwenden, und 

Einrlnchtungen, um den Berechtigungscode fur Meldungen zu regenerieren, unter Verwendung des 
zeitlich-variablen SchlOsseis (KSTR1), welcher aus Parametern generiert wird, die auf den PAN, KP und der 
empfangenen Transaktionsvariable basreren, fOr den Vergleich mit dem in der empfangenen IVIeldung 
enthaltenen Berechtigungscode fur Meldungen, 

2. Elektronisches GeldOberweisungssystem nach Anspruch 1, welches welters 
Einrichtungen auf der Karte und an der Benutzerstation aufweist, welche fur jede Transaktion, die an 

der Benutzerstation begonnen wird, eine erste Transaktionsvariable (Tterm,card| generieren und die erste 
Transaktionsvariable in eine Anforderungsmeidung fur eine Transaktion einschlieBen, welche dem ci.a. 
Datenverarbeitungszentrum gesendet wird (Schritte CI— T6 (Rg. 10)), 
wobei das System an den ci.a. Oatenverarbeitungszentren 

Einrichtungen aufweist, um eine Antwortmeldung auf jede Anforderungsmeidung fOr eineTransakti'on 
zu erstellen, wobei jede positive Antwortmeldung einen ersten Tell (CTR) aufweist, mittels dem unter 
Verwendung eines von der ersten Transaktionsvariable, dem persdniichen SchlQssel und der persdnlichen 
Kontonummer des Benutzers abgeleiteten SchlOsseis ein erster Berechtigungscode fQr Meldungen 
generiert wird, und einen zweiten Teil, der den ersten Tell beinhaltet mittels dem ein zweiter Echtheitsoode 
fQr Meldungen generiert wird» wobei als VerschlOsselungsschlQssel eine Zufalls- Oder Pseudozufallszaht 
verwendet wfrd, und (weiters) Einrichtungen, um den ZufallszahlenschlOssel nach einem 
MehrdomSnenschlOssel zu verschlOsseIn und um den verschlOsselten SchlQssel zu der Antwortmeldung zu 
fugen (Schritte 11—119 (Fig. 10)), 

an der Benutzerstation Einrichtungen aufweist die die Antwortmeldung empfangen und den 
ZufallszahlenschlOssel entschlOssein, die den entschlusselten SchlQssel verwenden, um einen 
Berechtigungscode fur Meldungen neu zu erstellen, welcher auf dem zweiten Teil der empfangenen 
Meldung basiert, und die den neuersteilten Berechtigungscode fOr Meldungen mit dem empfangenen 
zweiten Berechtigungscode fur Meldungen vergleichen (Schritte T7— TIG (Rg. 11)) und 

Einrichtungen auf der Karte aufweist, die die erste Transaktionsvariable, den persdnlichen SchlQssel 
und die persdnllche Kontonummer verwenden. um einen VerschlOsselungsschlQssel abzuleiten, der einen 
Berechtigungscode fur Meldungen mittels des ersten Teils der Meldung generiert, und die den 
neuersteilten Berechtigungscode fOr Meldungen mit dem empfangenen ersten Berechtigungscode fOr 
Meldungen vergleichen (Schritte C7--C14 (Rg. 11)). 

Revendications 

1. Syst^me diectronique de transfert de fonds dans lequel des terminaux EFT sent connectSs par 
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rintermediaire d'un centre local de traitement de donndes (uniti de saisie) 4 un systftme de commutation 
public {commutateur). une pluralit6 de centres de traitement de donn6^ d organisations ddrms^^^ 
cartes sent figalement connect6s au systdme de commutation public, et chaque 

possdde une carte bancaire intelligento personnelle de s^urit6 sur laquelle sont stock§s un numero de 
^ compte personnel (PAN) et une cl6 personnelle (KP). le syst^me comprenant „^q» 
des moyens, h chaque centre local de traitement de donn6es, pour g6nerer des cl6s de session (KS) 
pour chacun de ses terminaux localement raccord^. et pour transmettre une old de session associde d un 

' terminal respectif, * ' . " _. 

h chaaue terminal, des moyens pour stocker ia cle de session. , - , 

" d^ moyens pour chiffrer ies donndes confidentielles {PAN) selon la cl6 de session, chaque fois qu un 

message de demande de transaction est g6n6r6, 

d^ moyens pour gendrer une variable de transaction pour chaque transaction commenc6e au 
terminal et pour transferer la variable de transaction ft la carte, 

des moyer^ pour transferer un message de demande comprenant la variable transartion ch.ffr6e 
selon KS d la carted'utlHsateur, et des moyens pr6vus sur la carte pour g6n6rer un code d authentlficabon 
?e message en u™ une d6 variant dans le temps tKSTRl) bas^e sur Ies PAN et KP d'util.sateur et sur la 

"""des ™rSiie centre local de traitement de donnfies, pour chiffrer la cl6 de session appropriee 
selon une old inter-domalne chaque fois qu'un message de demande de transaction est regu et pour ajouter 

" 'IfriJLy^^^^^^^ de traitement du syst6me de commutation public, pour Jaduire la cl6 de 

session chiffr6e du chlffrement selon une cl6 interdomaine regue i une clj inter-^omahie transmission, 

des moyens, au centre de traitement de donn6es de I'organisation d Emission de «rte8, pour 
ddchlffrer la cl6 de session chlffrSe et pour utillser la cl6 au d6chlffrement de toutes donn6es confidentielles 
contenues dans le message de demande, et j« 

des moyens pour recr^er le code d'authentificatlon de massage au moyen de la quantity k vanance de 
temps (iStoi) qui est gen6r6e & partir de param6ires bas6s sur Ies PAN et KP et sur la variable de 
Sciion^^^^^ comparaison avec le iode d'authentlflcation de message Indus dans le message 

30 ^^l' svstfime electronique de transfert de fonds suivant la revendication 1, comprenant en outre 
des moyens, sur la carte et au terminal, pour diaque transaction comrnenc6e au term 
une premidre variable de transaction (Ttemi.cardJ et pour inclure la premiere vanabie transaction dans 
un mesMge de demande de transaction envoy6 au centre de traitement de donn6es de I'organtsatlon 
d'dmlssion de cartes (Etapes CI— T6 (Rgure 10)), ^ ^ ^ ^, • H'A«,i..«r«« 

^ le systdme comprenant6galement, aux centres de traitement de donn6es d'organ.sation d emission 

'dw moyens pour construire un message de rdponse k d^aque messagad| demande de transaction 
recu. chaque message de rfiponse positif comportant une premiere partle (CTR) sur aquelle un premier 
Sde d'au'hentificatiSn de message est g6n6re au moyen d'une c\6 obtenue * partjrde la P«""^^«;«^ 
de transaction, de la d6 personnelle et du numAro de compte personnel de ["til Mteur. et une deuxidme 
parte compre^am la premiere partie sur laquelle un deuxI6me code ^'authentication de me^^^^^^^ 
g§n6r6 en utillsant comma de de chlffrement un nombre al6atoire ou pseudo-aieatolre. « des moyens 
pour chiffrer la de de nombre aieatolre selon une d6 inter-domalne et pour ajouter la de chlffree au 
message de reponse {Etapes II— 119 (figure 10)), u«f i .ia ^» «««,hr« «iA«tnir» 

« des moyens. au terminal, pour recevoir le message de r6ponse et dechrffrer la cie de nombre aieatoire, 
pour utiliser la cie d6chtffree afin de recreer un code d'authentlflcation de message sur la base de la 
deuxieme partie du message repu. et pour comparer le code d'authentlflcation de message recr66 avec le 
deuxieme code d'authentificatlon de message re^u {Etapes T7— T13 (figure 11 ). 

des moyens. sur la carte pour utiliser la premiere variable de transaction, ia c\6 personnelle et le 

» numero de compte personnel de manidre e obtenir une d6 de chlffrement pour g6n6rer un code 
d'authentiflcation de message sur la premiere partie du message, et pour comparer le code 
d'authentification de message recree avec le premier code d'authentificatlon de message re^u (Etapes 
C7— C14 (figure ID). 
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